From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 20:35:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7508D16A4D1 for ; Mon, 8 Nov 2004 20:35:05 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7D2643D2D for ; Mon, 8 Nov 2004 20:35:04 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 11B5E347E01; Mon, 8 Nov 2004 21:36:16 +0100 (CET) Date: Mon, 8 Nov 2004 21:36:16 +0100 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20041108203616.GA21361@shellma.zin.lublin.pl> References: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> User-Agent: Mutt/1.4.2i Subject: Re: Help: Load Balancing 2 external connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 20:35:05 -0000 On Tue, Nov 09, 2004 at 05:45:11AM +1100, LD wrote: > My Questions are: > a) Do I need any specific kernel options? i.e., features that aren't > available otherwise through dynamic loading. Using divert requires IPDIVERT option (loadable version of divert is in very fresh sources only), which is not in GENERIC I guess. Both ipfw and dummynet can be loaded from modules. Warning: ipfw default policy is to block all traffic so be careful when loading it remotly. :) > b) I'd like to make the whole thing transparent to the internal > network. i.e., internal computers nameserver references are to the > gateway (rather than isp) which then translates such requests to the > appropriate nameserver(s) of the relevant isp according to which pipe > the request is sent through :-) That's obsolete. Set up your caching DNS server or allow to use nameservers of both upstream ISPs. > b) I'm assuming that for the most part 'prob 0.5' will balance the load > between two pipes to the external interfaces...but is there a better > scheme? Also guaranteeing that a complete conversation, once initiated > via an interface would continue through that interface... You don't understand what `pipe' is. Pipe is for bandwidth limiting, not for redirecting traffic between interfaces. What You want is called `fwd'. Still, prob 0.5 will match 50% of packets, which are not TCP sessions, so it won't work this way. You want connection (flow) balancing. This may be hard to achieve. I would experiment with fwd rule with keep-state option. > c) How would you set it up to automatically place all traffic out via > one of the external interfaces should the other connection not be > available? i.e., auto-redundancy. Set up some shell script that somehow checks if connection is working and if not, modifies default route or ipfw ruleset (using rule SETs may be helpful in atomic ipfw ruleset changes). > d) any other tricks of the trade? > > #!/bin/sh > <..> > cmd="ipfw -q add" > skip="skipto 800" > ipfw -q -f flush > $cmd 005 allow all from any to any via $iif > $cmd 010 allow all from any to any via lo0 > $cmd 014 divert natd ip from any to any via $pif1 > $cmd 014 divert natd ip from any to any via $pif2 > $cmd 015 check-state > # Public Interface > for DNS in `cat /etc/resolv.conf | grep nameserver | awk -F\t '{print > $2}'`; do > $cmd 020 $skip tcp from any to $DNS 53 out setup keep-state > done > # access isp dhcp server for cable > $cmd 021 $skip udp from any to $ISP_DHCPs 67 out via $pif1 keep-state > # outgoing traffic > $cmd 030 $skip tcp from any to any $tcpports out > <...> > # deny various incoming > <...> > # allow cable dhcp > $cmd 360 allow udp from $ISP_DHCPs to any 68 in keep-state > <...> > # reject/log > $cmd 400 deny log all from any to any in > $cmd 400 deny log all from any to any out > > # SKIPTO Section > $cmd 800 prob 0.5 pipe 1 from any to any out via $pif1 > $cmd 800 prob 0.5 pipe 2 from any to any out via $pif2 > ipfw -q 800 pipe 1 config bw > ipfw -q 800 pipe 2 config bw > > # Natd > $cmd 801 divert natd ip from any to any out > $cmd 802 allow ip from any to any > # deny/log all else > $cmd 999 deny log all from any to any As said, this DNS stuff seems weird. Also fwd is not used. Also prob 0.5 is not used properly (forst 50% will match 50%, second will match 50% of rest 50%, which gives 25%). Try setting default route to one ISP and fwd 50% of flows from its interface to second ISP gateway. When configuring pipes, no rule number is needed, pipe configuration is not part of ruleset. Note, by default pipe will accept packet (it won't be check against another rules). Same with fwd. Same with allow. I would suggest temporary resigning from blocking and dummynet stuff and just trying to create pure load-balancing. It will be hard enough. Always do `ipfw -d show' and look at rule counters to make sure that packets go as expected. I would also look at ipf and pf firewalls, they have strong session handling, You may find one of them to be more easy to setup or even find some ready-to-use examples with google. -- Paweł Małachowski